HIPAA HITECH Regulations Proposed

On July 14, 2010, the U.S. Department of Health and Human Services (“HHS”) published proposed regulations modifying the privacy, security, and enforcement rules issued under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). When finalized, the new regulations will implement the statutory amendments made to HIPAA under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) enacted as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”). This alert summarizes the specific changes to the rules as well as the effective dates of those changes.

Compliance Date

HITECH was generally effective February 18, 2010, although there are a number of statutory exceptions to this general effective date. Recognizing that it would be difficult for covered entities and business associates to comply with the new regulations until after they are finalized, HHS has indicated in the proposed regulations that it will provide covered entities and business associates with 180 days beyond the effective date of the final rules to comply. In addition, HHS proposes a transition period to allow covered entities and business associates to revise their business associate agreements. This transition period is discussed below.

Extending Requirements to Business Associates

HITECH extended the HIPAA privacy, security and enforcement rules to apply not only to covered entities but also directly to entities assisting covered entities, known as business associates. The proposed rules modify the definition of business associate to include entities or persons that provide data transmission services to a covered entity and require routine access to protected health information (“PHI”); subcontractors that create, receive, maintain or transmit PHI on behalf of a business associate; and vendors that offer personal health records to one or more individuals on behalf of a covered entity.

Subcontractors Subcontractors of a business associate are also business associates to the extent they require access to PHI. A subcontractor includes any agent or person acting on behalf of the business associate, other than a workforce member, regardless of whether a contract exists between the parties. Business associates must enter into a written contract or other arrangement with a subcontractor to protect the privacy and security of PHI in the same manner that the rules require contracts between covered entities and business associates.

 

Requirements for Business Associate Agreements

The proposed rules remove the requirement that a covered entity report to the Secretary of HHS when a business associate materially breaches or violates its obligation under a contract and termination of the contract is not feasible, because a business associate is now directly obligated to report to the Secretary. On the other hand, the proposed rules add to the list of requirements that apply to a business associate and that must be contained in a business associate agreement. Under the proposed rules, a business associate agreement must provide that the business associate will: (i) comply with the applicable requirements of the security rules with regard to electronic PHI; (ii) to the extent the business associate is to carry out a covered entity’s obligation under the privacy rules, comply with the applicable requirements of the privacy rule; and (iii) report breaches of unsecured PHI to covered entities. Similar requirements apply to contracts between a business associate and a subcontractor.

Transition Period

The proposed rules contain a transition period for covered entities and business associates to amend their existing business associate agreements. The transition period would be available to a covered entity or business associate if, prior to the publication date of the final rules, the covered entity or business associate had an existing contract with a business associate or subcontractor, respectively, that complied with the prior provisions of the HIPAA rules and such contract is not renewed or modified (during the period beginning 60 days after publication of the final rules and ending 240 days after publication*).

The transition period ends on the earlier of: (i) the date the agreement is renewed or modified on or after the date that is 240 days after publication of the final rules; or (ii) one year and 240 days after the date the final rules are published.

Additional Changes to the Privacy Rule

The proposed rules also make the following changes:

Access to PHI

HITECH strengthened an individual’s right to access PHI by providing that when a covered entity uses or maintains an electronic health record with respect to PHI, the individual has a right to obtain a copy of such PHI in an electronic format and to direct the covered entity to transmit a copy directly to the individual’s designee, provided the request is clear, conspicuous and specific. The proposed rules would further expand this and require any covered entity that electronically maintains PHI in a designated record set to provide the individual with an electronic copy of such information in the electronic format requested.

Marketing of PHI

The proposed rules establish new limits on the use and disclosure of PHI for marketing purposes. The definition of “marketing” would be revised to specifically exclude: (i) communications regarding prescription refills, only if any financial remuneration received by the covered entity is related to the cost of making the communication; (ii) communications from a covered entity to describe health related products or services under the plan, provided that no financial remuneration is received in exchange for the information; and (iii) communications from a health care provider for treatment of an individual (including case management or coordination), provided that the communication is in writing, and if the provider receives any financial remuneration, certain notice and opt out conditions are met.

Fundraising

In addition, the proposed rules require covered entities to provide individuals with a clear opportunity to “opt out” of fundraising communications without any risk to the individual's treatment or payment. The proposed rules require a written authorization from an individual for the sale of his or her PHI unless certain exceptions apply.

Decedents

The proposed rules provide that a covered entity may disclose a decedent’s PHI to family members and others involved the care of the individual unless doing so is inconsistent with a prior expressed preference of the individual, and that the health information of a person deceased for more than 50 years is not considered PHI.
Immunizations. In addition, the proposed rules will permit a covered entity to provide proof of immunizations to schools without a written authorization required by the rules, provided the covered entity obtains an agreement to the disclosure from a parent, guardian or, if the individual is an adult or emancipated, the individual.

Notice of Privacy Practices

The proposed rules suggest several possible changes to the privacy notice, including (i) that the notice include a statement that describes the uses and disclosures of PHI that require an authorization, (ii) that the notice explain that most uses and disclosures of psychotherapy notes or for marketing purposes require an authorization, and (iii) that if a covered entity intends to contact the individual to raise funds, the notice must not only inform the individual of this intention, but also inform the individual that there is a right to opt out of receiving such communications.

Although covered entities do not need to incorporate any of the changes in the proposed regulations into their HIPAA documents at this time, covered entities should be aware their HIPAA privacy and security documents should be reviewed and will have to be revised when final rules are issued. As the HIPAA privacy and security rules now directly require compliance of business associates, business associates should begin preparations to draft their own HIPAA privacy and security documents.

For further details, or if you have any questions regarding these proposed regulations, contact your Seyfarth Shaw LLP attorney or any Health Care attorney listed on the website at www.seyfarth.com/healthcare.

---

*The preamble required that such contract was not renewed or modified between the effective date and the compliance date of the modifications to the Rules. It is unclear why the regulations permit a renewal or modification within the first 60 days after publication.